From 399a7854d2143d90022712cd29a15dbacd6892e3 Mon Sep 17 00:00:00 2001
From: chchen7 <chchen.cs14@nycu.edu.tw>
Date: Sat, 7 Feb 2026 00:52:57 +0800
Subject: [PATCH] fix: add bounds check for PDU session PSI bitmap

---
 go.mod                  |  2 +-
 go.sum                  |  4 ++--
 internal/gmm/handler.go | 29 ++++++++++++++++++++++++++++-
 3 files changed, 31 insertions(+), 4 deletions(-)

diff --git a/go.mod b/go.mod
index 571c4f09..6bc4bcfc 100644
--- a/go.mod
+++ b/go.mod
@@ -10,7 +10,7 @@ require (
 	github.com/free5gc/ngap v1.1.2
 	github.com/free5gc/openapi v1.2.3
 	github.com/free5gc/sctp v1.1.1
-	github.com/free5gc/util v1.3.1
+	github.com/free5gc/util v1.3.2-0.20260204030658-79d56f347175
 	github.com/gin-gonic/gin v1.10.0
 	github.com/google/uuid v1.6.0
 	github.com/mitchellh/mapstructure v1.5.0
diff --git a/go.sum b/go.sum
index cd8f5f8c..0a2d0601 100644
--- a/go.sum
+++ b/go.sum
@@ -31,8 +31,8 @@ github.com/free5gc/openapi v1.2.3 h1:w4TmYBR8TUE4ZgKo7eiMZbyZPURSBFlMWiFeX+OsiA8
 github.com/free5gc/openapi v1.2.3/go.mod h1:fLvaBtUZrvrzkKrmn5Aza+JNbpWnp3kxKixu6kLSD3k=
 github.com/free5gc/sctp v1.1.1 h1:FfoQjIwMDL+IfD3YWx/+S2nO7fFVi/5FZ11xJQ/gRi0=
 github.com/free5gc/sctp v1.1.1/go.mod h1:th0y/MUwlqBcoy9nY65VEOdoCgu3ObV1ADAicgkpLl0=
-github.com/free5gc/util v1.3.1 h1:5j5Exvp42Ow3zNP2aaAp68MSne6BcaCF4/cekXYUS6w=
-github.com/free5gc/util v1.3.1/go.mod h1:qsv/ez8YhI+pO8bjNiZWXc2xmRE3XuEIa0EDTCPkSy0=
+github.com/free5gc/util v1.3.2-0.20260204030658-79d56f347175 h1:F1KLSNuHBQzQC2rjC0Zu0ehaAc1n2Gmkw52g8YgnsdY=
+github.com/free5gc/util v1.3.2-0.20260204030658-79d56f347175/go.mod h1:qsv/ez8YhI+pO8bjNiZWXc2xmRE3XuEIa0EDTCPkSy0=
 github.com/gabriel-vasile/mimetype v1.4.3 h1:in2uUcidCuFcDKtdcBxlR0rJ1+fsokWf+uqxgUFjbI0=
 github.com/gabriel-vasile/mimetype v1.4.3/go.mod h1:d8uq/6HKRL6CGdk+aubisF/M5GcPfT7nKyLpA0lbSSk=
 github.com/gin-contrib/sse v0.1.0 h1:Y/yl/+YNO8GZSjAhjMsSuLt29uWRFHdHYUb5lYOV9qE=
diff --git a/internal/gmm/handler.go b/internal/gmm/handler.go
index 71059086..2b08e060 100644
--- a/internal/gmm/handler.go
+++ b/internal/gmm/handler.go
@@ -35,6 +35,7 @@ import (
 	Nnrf_NFDiscovery "github.com/free5gc/openapi/nrf/NFDiscovery"
 	"github.com/free5gc/util/fsm"
 	nasMetrics "github.com/free5gc/util/metrics/nas"
+	"github.com/free5gc/util/validator"
 )
 
 const psiArraySize = 16
@@ -90,6 +91,9 @@ func transport5GSMMessage(ue *context.AmfUe, anType models.AccessType,
 
 	if id := ulNasTransport.PduSessionID2Value; id != nil {
 		pduSessionID = int32(id.GetPduSessionID2Value())
+		if !validator.IsPduSessionIdInPsiRange(pduSessionID) {
+			return errors.New("PDU Session ID is invalid")
+		}
 	} else {
 		return errors.New("PDU Session ID is nil")
 	}
@@ -1331,6 +1335,14 @@ func reactivatePendingULDataPDUSession(ue *context.AmfUe, anType models.AccessTy
 		pduSessionID := key.(int32)
 		smContext := value.(*context.SmContext)
 
+		// check pduSession id is valid
+		if !validator.IsPduSessionIdInPsiRange(pduSessionID) {
+			ue.GmmLog.Errorln("Invalid PDU Session ID:", pduSessionID)
+			errPduSessionId = append(errPduSessionId, uint8(pduSessionID))
+			errCause = append(errCause, nasMessage.Cause5GMMSemanticallyIncorrectMessage)
+			return true
+		}
+
 		// uplink data are pending for the corresponding PDU session identity
 		if !uplinkDataPsi[pduSessionID] ||
 			(pduSessionID == dlPduSessionId && serviceType == nasMessage.ServiceTypeMobileTerminatedServices) {
@@ -1393,6 +1405,12 @@ func releaseInactivePDUSession(ue *context.AmfUe, anType models.AccessType, uePd
 		pduSessionID := key.(int32)
 		smContext := value.(*context.SmContext)
 
+		// check pduSession id is valid
+		if !validator.IsPduSessionIdInPsiRange(pduSessionID) {
+			ue.GmmLog.Errorln("Invalid PDU Session ID:", pduSessionID)
+			return true
+		}
+
 		if uePduStatus[pduSessionID] {
 			pduStatusResult[pduSessionID] = true
 			return true
@@ -1437,7 +1455,11 @@ func reestablishAllowedPDUSessionOver3GPP(ue *context.AmfUe, anType models.Acces
 	if reactivationResult == nil {
 		reactivationResult = new([psiArraySize]bool)
 	}
-	if allowedPsi[requestData.PduSessionId] {
+	// check pduSession id is valid
+	if !validator.IsPduSessionIdInPsiRange(requestData.PduSessionId) {
+		ue.GmmLog.Errorln("Invalid PDU Session ID:", requestData.PduSessionId)
+		callback.SendN1N2TransferFailureNotification(ue, models.N1N2MessageTransferCause_UE_NOT_REACHABLE_FOR_SESSION)
+	} else if allowedPsi[requestData.PduSessionId] {
 		// re-establish the PDU session associated with non-3GPP access over 3GPP access.
 		// notify the SMF if the corresponding PDU session ID(s) associated with non-3GPP access
 		// are indicated in the Allowed PDU session status IE
@@ -1497,6 +1519,11 @@ func getPDUSessionStatus(ue *context.AmfUe, anType models.AccessType) *[psiArray
 		if smContext.AccessType() != anType {
 			return true
 		}
+		// check pduSession id is valid
+		if !validator.IsPduSessionIdInPsiRange(pduSessionID) {
+			ue.GmmLog.Errorln("Invalid PDU Session ID:", pduSessionID)
+			return true
+		}
 		pduStatusResult[pduSessionID] = true
 		return true
 	})